Requests containing URL parameters are now sanitised to prevent XSS a…

…ttacks
RhubarbPHP · mballantinegcd · May 20, 2024 · May 23, 2024 · May 27, 2024 · May 20, 2024
commit 6045be87ec1f470e2dc3525eb7cf3c996a7c524e
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Change log
 
+### 1.7.8
+
+* Updated: Requests containing URL parameters are now sanitised to prevent XSS attacks
+
 ### 1.7.7
 * Fixed: More deprecated required parameter follows optional parameter warnings
 

diff --git a/src/UrlHandlers/UrlHandler.php b/src/UrlHandlers/UrlHandler.php
@@ -266,6 +266,17 @@ protected function getAbsoluteHandledUrl()
         return $request->server("REQUEST_SCHEME") . "://" . $request->server("SERVER_NAME") . $this->handledUrl;
     }
 
+    private function sanitizeRequest($request) {
+        foreach ($request as $key => $value) {
+            if (is_string($value)) {
+                $request->$key = filter_var($value, FILTER_SANITIZE_STRING);
+            } elseif (is_array($value)) {
+                $request->$key = filter_var_array($value, FILTER_SANITIZE_STRING);
+            }
+        }
+        return $request;
+    }
+
     /**
      * Return the response when appropriate or false if no response could be generated.
      *
@@ -277,6 +288,10 @@ protected function getAbsoluteHandledUrl()
      */
     public function generateResponse($request = null, $currentUrlFragment = false)
     {
+        if ($request !== null) {
+            $request = $this->sanitizeRequest($request);
+        }
+
         if ($currentUrlFragment === false) {
             $currentUrlFragment = $request->urlPath;
         }